The European Commission is preparing for the eventuality that the European Court of Justice (ECJ) may invalidate the EU-US data transfer agreement, known as the Privacy Shield, Justice Commissioner Didier Reynders has said.
In a long-awaited case on 16 July, the ECJ will rule on whether Standard Contractual Clauses (SCCs) are a legitimate way of transferring data to legal regimes outside of the EU while respecting EU data protection law.
By extension, the ECJ could also adopt a position on the validity of the Privacy Shield agreement, the mechanism used for transferring personal data between the EU and the US.
It would not be the first time judges at the highest court in Europe have invalidated an EU-US data framework, after the nullification of the 2015 Safe Harbour agreement, which eventually led to the creation of the Privacy Shield.
Speaking as part of a Brussels videoconference event on Tuesday (30 June), the EU’s Justice Chief Didier Reynders was pressed on what measures that the Commission is considering, should the ECJ decide to invalidate the Privacy Shield agreement.
Reynders said the Commission was conducting “preparatory works about the different possibilities that will result from the decision of the court.”
“We don’t have one plan, but we have some ideas about the different ways to give an answer, following the scope of the decision of the court,” he added, keeping his cards close to his chest, however, on the specifics of how the Commission would react to a legal invalidation of the Privacy Shield.
In a non-binding opinion in December, the ECJ found that the Commission’s standard contractual clauses (SCC), used for data transfers between EU and non-EU countries were ‘valid.’ Opinions issued by the court are normally good indications on how final rulings turn out.
The case comes following a legal challenge from Austrian privacy activist Max Schrems, who believes that the Commission’s standard contractual clauses do not adequately protect citizen’s privacy.
Such contracts are issued in the absence of a data transfer adequacy agreement between the Commission and parties outside of the bloc, in an attempt to provide sufficient data protection safeguards. They are used by thousands of businesses worldwide, including tech giants such as Facebook.
Should the court rule in favour of Schrems in July, the move could have profound consequences on the way data flows operate between EU and non-EU businesses, and may oblige firms to stop making such data transfers or potentially face hefty fines.
On the Privacy Shield agreement, ECJ Attorney General Saugmandsgaard Øe’s December opinion states that the courts should not necessarily be required to rule on the validity of the accord, due to the fact that the dispute in question only concerns the Commission’s establishment of standard contractual clauses.
However, the Advocate General himself questioned the legitimacy of the agreement, stating that there are “reasons that lead him to question the validity of the ‘privacy shield’ decision in the light of the right to respect for private life and the right to an effective remedy.”
In a previous 2015 case, Schrems successfully mounted a legal challenge over the EU’s ‘Safe Harbour’ privacy principles, developed to prevent private companies in the EU or the US from losing or accidentally revealing personal data belonging to citizens.
That year, ECJ Advocate General Yves Bot issued an opinion to the court that stated the Safe Harbour agreement should be rendered invalid, and added that individual data protection authorities could suspend data transfers to other countries should there be evidence of data protection rights being breached.
The ECJ ultimately upheld Bot’s opinion and the Safe Habour agreement was invalidated.
The court will deliver the ruling on the case C-311/18, Facebook Ireland and Schrems, on 16 July.
[Edited by Zoran Radosavljevic]